They happen everywhere. How can your company be safe?
Almost no industry seems to be free of data breaches. In retail, we've heard about Target and Neiman Marcus (and now Sears and other retailers are investigating whether they have been hacked). In education it's Indiana University and University of Maryland, the most recent as of this writing. We've heard about Barclays Bank and the government and you name it. One begins to wonder how many times can our information be bought and sold, and it still affects us? But does it have to be this way?
Well, like many questions in life, I suppose yes and no. Back in the day, before the Internet, people used to talk about home security and front door locks. The old saying was that, “Locks keep honest people honest.” Implied was the knowledge that any lock that can be designed by one human can be picked by another. The same is true for physical security today and especially cyber security. Much like Homeland Security has noted about terrorism, “We have to be right 100 percent of the time, while they only have to be right once.” Hackers can use software (most of it free, with YouTube videos to help the uneducated learn), social engineering, disgruntled employees, and the list seems to go on for quite a while.
So, what can you and I do, Mr. Businessman or Ms. Businesswoman, to keep us, our employees and clients' information safe and secure, yet still accessible when needed? Well, actually there are a number of things we can do. There isn't enough room to discuss paper records, but some of these suggestions apply to both.
Write down policies and procedures for physical security and cyber security. Then train your employees in what to do when problems arise. For instance, what would your office do if a computer technician showed up to fix your server and you were not available?
* Keep your server physically safe and secure. It should remain locked in a properly air conditioned room with limited access. Social engineering is the new term for con jobs (check out Kevin Mitnick's book Ghost in the Wires for some incredible tales). See the first bullet–write down policies and procedures and train.
* Do not allow unsupervised or unstructured access to the Internet. An innocent and unsuspecting employee can easily download a worm or all kinds of viruses unknowingly.
* Don't allow access to personal emails (especially Gmail and Yahoo accounts). This is another excellent way to become ensnared in a phishing scam.
* Check your browser to be sure third-party cookies are disabled.
* Update user logins and passwords immediately when someone leaves. This won't help with the disgruntled employee that is still employed, but at least the one that just left won't be able to pass credentials around to someone who knows how to use them.
* While we're at logins and passwords, keep the permissions current and appropriate on each login and require strong passwords. Then change them every 30 to 45 days, depending on how secure you want to be.
While this isn't exhaustive, it's at least a start. In everything regarding this (I know I've said this but it bears repeating) write up the policy or procedure and train your employees. If it isn't written, it doesn't exist, and if you are breached, you should be able to prove whatever efforts you have taken to avoid it. If you have written it down but don't keep your employees trained and aware of it, you aren't much better off. If your employees don't know company policy on computer access for them and visitors to your office, how can they be expected to protect your company the way you want it protected?
Don't be a willing victim. If you are breached, be sure you make them work for it.
Ron Bush founded and oversees DRD, LLC, an information management company, consulting with companies to improve the safe and secure management of their information. He is also president of the Valparaiso Rotary and active in a number of local and international organizations.